bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe
Size

965KB
MD5

a4b017d33ab1777d4e2ae72061391bd5
SHA1

7f3f18dc8f9b636d91e27955b7af03ff776bae94
SHA256

bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62
SHA512

21e83758d1b8fa7f9c8862f88bb4be5f48fcb7879f3901edc8ab63d3702efc244b745547084714eb2171535fcf057990c270dd2ac03d8a8f0e3423b6c130e07f
SSDEEP

6144:Zuj8NDF3OR9/Qe2HdklrSqjzQtJnjqno2k29eLG:4OF3ORK3d9QzQtJnjqno2k29H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2972	casino_extensions.exe
3668	Casino_ext.exe
3520	casino_extensions.exe
2092	Casino_ext.exe
2284	LiveMessageCenter.exe
2940	casino_extensions.exe
1312	Casino_ext.exe
3424	LiveMessageCenter.exe
2816	casino_extensions.exe
1560	Casino_ext.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3668	Casino_ext.exe
3668	Casino_ext.exe
2092	Casino_ext.exe
2092	Casino_ext.exe
2284	LiveMessageCenter.exe
2284	LiveMessageCenter.exe
1312	Casino_ext.exe
1312	Casino_ext.exe
3424	LiveMessageCenter.exe
3424	LiveMessageCenter.exe
1560	Casino_ext.exe
1560	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2728	bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4680	2728	bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe	83
PID 2728 wrote to memory of 4680	2728	bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe	83
PID 2728 wrote to memory of 4680	2728	bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe	83
PID 4680 wrote to memory of 2972	4680	casino_extensions.exe	84
PID 4680 wrote to memory of 2972	4680	casino_extensions.exe	84
PID 4680 wrote to memory of 2972	4680	casino_extensions.exe	84
PID 2972 wrote to memory of 3668	2972	casino_extensions.exe	85
PID 2972 wrote to memory of 3668	2972	casino_extensions.exe	85
PID 2972 wrote to memory of 3668	2972	casino_extensions.exe	85
PID 3668 wrote to memory of 2644	3668	Casino_ext.exe	86
PID 3668 wrote to memory of 2644	3668	Casino_ext.exe	86
PID 3668 wrote to memory of 2644	3668	Casino_ext.exe	86
PID 2644 wrote to memory of 3520	2644	casino_extensions.exe	87
PID 2644 wrote to memory of 3520	2644	casino_extensions.exe	87
PID 2644 wrote to memory of 3520	2644	casino_extensions.exe	87
PID 3520 wrote to memory of 2092	3520	casino_extensions.exe	88
PID 3520 wrote to memory of 2092	3520	casino_extensions.exe	88
PID 3520 wrote to memory of 2092	3520	casino_extensions.exe	88
PID 2092 wrote to memory of 1252	2092	Casino_ext.exe	89
PID 2092 wrote to memory of 1252	2092	Casino_ext.exe	89
PID 2092 wrote to memory of 1252	2092	Casino_ext.exe	89
PID 1252 wrote to memory of 2284	1252	casino_extensions.exe	90
PID 1252 wrote to memory of 2284	1252	casino_extensions.exe	90
PID 1252 wrote to memory of 2284	1252	casino_extensions.exe	90
PID 2284 wrote to memory of 3964	2284	LiveMessageCenter.exe	91
PID 2284 wrote to memory of 3964	2284	LiveMessageCenter.exe	91
PID 2284 wrote to memory of 3964	2284	LiveMessageCenter.exe	91
PID 3964 wrote to memory of 2940	3964	casino_extensions.exe	92
PID 3964 wrote to memory of 2940	3964	casino_extensions.exe	92
PID 3964 wrote to memory of 2940	3964	casino_extensions.exe	92
PID 2940 wrote to memory of 1312	2940	casino_extensions.exe	93
PID 2940 wrote to memory of 1312	2940	casino_extensions.exe	93
PID 2940 wrote to memory of 1312	2940	casino_extensions.exe	93
PID 1312 wrote to memory of 2712	1312	Casino_ext.exe	94
PID 1312 wrote to memory of 2712	1312	Casino_ext.exe	94
PID 1312 wrote to memory of 2712	1312	Casino_ext.exe	94
PID 2712 wrote to memory of 3424	2712	casino_extensions.exe	95
PID 2712 wrote to memory of 3424	2712	casino_extensions.exe	95
PID 2712 wrote to memory of 3424	2712	casino_extensions.exe	95
PID 3424 wrote to memory of 4276	3424	LiveMessageCenter.exe	96
PID 3424 wrote to memory of 4276	3424	LiveMessageCenter.exe	96
PID 3424 wrote to memory of 4276	3424	LiveMessageCenter.exe	96
PID 4276 wrote to memory of 2816	4276	casino_extensions.exe	97
PID 4276 wrote to memory of 2816	4276	casino_extensions.exe	97
PID 4276 wrote to memory of 2816	4276	casino_extensions.exe	97
PID 2816 wrote to memory of 1560	2816	casino_extensions.exe	98
PID 2816 wrote to memory of 1560	2816	casino_extensions.exe	98
PID 2816 wrote to memory of 1560	2816	casino_extensions.exe	98
PID 1560 wrote to memory of 2148	1560	Casino_ext.exe	99
PID 1560 wrote to memory of 2148	1560	Casino_ext.exe	99
PID 1560 wrote to memory of 2148	1560	Casino_ext.exe	99
PID 2148 wrote to memory of 3064	2148	casino_extensions.exe	100
PID 2148 wrote to memory of 3064	2148	casino_extensions.exe	100
PID 2148 wrote to memory of 3064	2148	casino_extensions.exe	100

C:\Users\Admin\AppData\Local\Temp\bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe
"C:\Users\Admin\AppData\Local\Temp\bbae641cfeb6467f9400254909f7d312d5f31f936cdc08bc723b7f1555d97c62.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        15⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        19⤵
        
        PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
976KB

MD5
07462598d81d2b120041289b807c75c3

SHA1
4c0ddd7c1bdfd587c7eecf48dc56428579dcb923

SHA256
fa531040bbe11887b28053a584ca803b18a243fe692f2f3f76c3fab38c53e3f2

SHA512
51e372bec386f1250a4ce57de59d8f0fd37b309079145380be6433e578ae6c8d436a1c3adebad377909e2d83337e2a2229e8ce8e3e967770cf1ec50ab8a03925

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
969KB

MD5
c4cd207f21ac9cd9ea69a8af4b9eb5d3

SHA1
c29b8cae879b3e7dd55476f0fa8c00582aabaacf

SHA256
1bae24519ecd6061cb1f8ae500c0a91d8e51e7ed548a25eede74f57155754233

SHA512
e0d8f10a1250d54e40f8d99bdf3d522479701d8a0e4a41812ecafa56f4ba39ec17fc728a991539cb35f0f616367b5889907a7fb73d554a54a84b14eebd8bb1ad

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
978KB

MD5
f2f51762cc2d073f0bbe2445c0002cd5

SHA1
8cf801d4773cc5529e56c2d3f62bed58c6303f61

SHA256
66abf4554e7b83e73c306c354899d39337a695cc63b1f38a52f092e2adc9d5e0

SHA512
e9b8f064203aae9d1a21f4be3225ddd49c2fec974affd7fd7b66246286e6c47d71219881820cb3b0546fd8d11a2c8d64ca3c6905d0acea566b3233a35162badf

Download Submit
memory/2728-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2972-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download